If you need to share confidential data, it's vital that the files are encrypted. See Securely sharing confidential data below for further advice.

It is vital you do not transmit the encryption password via the same method as the encrypted data.

You should use another method to provide the password to the recipient. For example, if you are sending an encrypted file via email, you can send the password in a paper-based letter, or tell it to the recipient on the phone.

If you have any questions about encryption, or other security issues, please contact the Library & IT Help Desk.

If you're using a device that is not owned or managed by the University, you can encrypt it yourself.

Windows devices

We advise you to use Bitlocker to protect personal data and/or confidential information on Windows devices. If you're using a laptop or mobile device with a version of Windows that does not support Bitlocker, you should not use that device to store or process personal data or confidential information.

Remember that not all devices support encryption. You must not use any unencrypted device to directly access or store confidential University information. Instead, you should use the Virtual Desktop Service (VDS) to access the data through a secure virtual machine.

Encryption passwords

Any encryption is only as strong as the password chosen. Short or easily guessable passwords can be broken.

You can buy USB sticks that include hardware based encryption. These are secure, but can usually only be used on Windows machines, on which extra software is installed.

If you wish to use one of these devices, we recommend the "Kingston Hardware Ultra Secure USB 256bit Hardware Encryption FIPS 140-2" (or another FIPS 140-2 certified USB stick). If you must use USB sticks, they are the best solution, and the only one that will satisfy some research funders.

There are a lot of other cheaper "encrypted" USB sticks out there, but only the more expensive ones properly encrypt data at the hardware level, so we strongly recommend sticking to the brands above.

Encrypting ZIP files

Another method for encrypting files is to enclose them in an encrypted zip file.

The default encryption method for ZIP files is not secure. It is outdated and can nowadays be broken easily. It is very important that you use the AES-256 encryption method detailed below instead.

Windows

On IT Services managed PCs, zip files can be created and read with the software 7-Zip. The program can be installed via Software Center:

iZip will then ask you which files and folders you want to add to the encrypted zip file. When you have finished adding your files/folders, click Next

iZip will display a summary of the options you've selected, click Next and your encrypted zip file will be created

Linux

The following instructions are based on Ubuntu 14.04. Other Linux distros may be similar but not identical.

You can use p7zip (a Linux command line version of 7-Zip on Windows) to create encrypted zip files. You can install p7zip with the following terminal command:

sudo apt-get install p7zip-full

Once p7zip is installed, encrypted zip files can be created with the following terminal command:

7za a -y -tzip -p -mem=AES256 archivename.zip /path/to/filestoencrypt

You will be prompted to enter a password for your encrypted zip file, which will then be saved to your current location in the terminal.

You can see a list of all available commands and switches in p7zip with the following terminal command:

7za -h

Using Microsoft Office

Windows

The latest Windows versions of Microsoft Office (2007 and later) can encrypt a file using strong encryption. Earlier versions only used very weak encryption which can easily be bypassed and should not be used.

Microsoft provide their own guidance on protecting Office files. This guidance includes instructions on encryption:

Microsoft Office for Mac does not offer encryption for Word documents or Excel workbooks. It only offers basic password protection, which is not secure and must not be used for confidential University data.

However, Office for Mac can open files that have been encrypted using Office on Windows.

Encrypting PDF files

Encrypted PDF files can be a good method for transmitted data, as, once encrypted, they can be sent via email. This method has the advantage that the recipient need not store any unencrypted versions of the file on disk.

Encrypted PDF files can be read with most PDF readers, including Adobe Reader. However, for encrypting the file, special software is needed.

Corel PDF Fusion

Corel PDF Fusion is installed on all IT Services managed classroom PCs, and is available to staff and research graduates for managed office PCs, unsupported machines and home use.

To encrypt a PDF file in Corel PDF Fusion:

Open the file you wish to encrypt

Go to Document | Set Document Security | Standard. This will open the Document Settings panel

In the Encryption Level, select '128-bit'. (If you are sure your recipient has PDF software capable of handling higher levels of encryption, you may wish to choose a higher rate.)